Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, May 17th, 2024. I’m Howard Solomon, contributing reporter on cybersecurity for TechNewsday.com.
 |
 |
 |
In a few minutes Terry Cutler, head of Montreal’s Cyology Labs, will be here to discuss recent news. That includes the seizure by law enforcement of the BreachForums criminal marketplace, the agreement of over 60 tech companies to sign a voluntary pledge to put security first in the design of their products, and the call by the U.S. for like-minded countries to join in promoting an open digital ecosystem and responsible state behaviour in cyberspace.
But first a review of some of the other headlines from the past seven days:
Microsoft warned IT departments to block or uninstall Windows Quick Assist tool if it isn’t being used. The tool is for IT to use for approved remote access to computers. However, the Black Basta ransomware gang recently began tricking employees into giving it access to computers through Windows Quick Assist. They do it through phone calls claiming to be from IT support.
The U.S. Federal Communications Commission warned telecom providers of a criminal group it calls Royal Tiger as being behind fraudulent automated phone calls made to consumers in many countries including the U.S. The robocall operation includes calls pretending to be from banks, government agencies and utilities.
Phishing attacks that include fake document signing requests are on the rise. Researchers at Abnormal Security say the fake messages ask an employee to click on a link to digitally sign a document using the DocuSign service. But clicking on the link starts a chain that downloads malware.
Ransomware gangs are increasingly targeting vulnerabilities in on-premise VPNs for initial access. That’s according to data compiled by insurance company At-Bay of attacks that its customers suffered. Organizations managing their own VPNs were 11 times more likely last year to fall victim of a ransomware attack than those using a cloud-managed VPN or no VPN at all.
Eleven vulnerabilities have been found in GE Healthcare’s Vivid Ultrasound products used in hospitals and clinics. Researchers at Nozomi Networks say patches and mitigations are now available.
And Nigeria has stopped its attempt to fund national cybersecurity improvements through a tax on online transactions. According to Dark Reading, the public isn’t happy with an added tax during an economic crisis.
(The following is an edited transcript of the first of three topics discussed. To get the full conversation play the podcast)
Howard: Joining me now from Montreal is Terry Cutler of Cyology Labs. Hi there.
Let’s start with news that police including the FBI and law enforcement agencies in the U.K., Australia, New Zealand and Switzerland this week seized the website of the criminal marketplace called BreachForums as well as the gang’s page on the Telegram messaging site. It’s the second time the BreachForums site has been knocked out of business. Just over a year ago the original version of BreachForums was closed, several months after the 21-year-old administrator was arrested in the U.S. He was sentenced to 20 years of supervised release, including two years of home confinement.
Terry, this latest closure is another success for law enforcement. Why is it important?
Terry Cutler: For a couple of reasons: Obviously, BreachForum was the hub for cyber criminals to either buy, sell, trade, or even leak stolen data. So by shutting it down, actually law enforcement obviously disrupts these activities. It makes it harder for cyber criminals to operate. But at the same time, these cybercriminals have a most like a three-two-one strategy for their backups, where they have three copies of the data at all times, two on-site, one off-site, so they can get back online as quickly as possible.
With these seizures, authorities now have access to the site’s backend data, which includes email addresses, IP addresses and private messages from the forum members, so they can do reconnaissance to find out who these people are and build a case against these folks as well. And it sends a strong message to cyber criminals that law enforcement has their act together now and they’re able to start taking things down …We’re also seeing a lot more international co-operation. A lot of [law enforcement] agencies are working together to bring these cases because they’re all across borders. Collaboration here is crucial to take down these threats. I think by taking down these forums helps protect [stolen] sensitive information as well. We saw in the news that Europol’s portal for experts [was hacked]. That [the seizure of BreachForums] could have prevented the sale and distribution of data that would have helped cyber criminals phish and scam [police] employees.
And by the way, BreachForums was one of the biggest marketplaces for criminals. Last month, a threat actor used this site to say they had over 49 million records of customers who bought computer products from Dell. BreachForums was also the site where hackers revealed that they had millions of pieces of stolen data from the 23andMe genetic testing website. So I think overall it’s a win for cybersecurity and demonstrates that law enforcement has their stuff together to take down these cybercriminals.
Howard: You’re suggesting in their 3-2-1 backup strategy that these crooks have better backup than a lot of enterprises.
Terry: Scary enough, but they do have their act together.
Howard: You mentioned the Europol hack. I know this is a coincidence, but last week a threat actor said on BreachForums that it hacked into the portal belonging to the Europol police co-operative and it stole data. Europol said no police operational data was stolen. They said that the portal that was hacked was a place where experts shared best practices, but the hacker said some of the data they copied was confidential. So was this takedown of BreachForums this week getting back at that particular hacker or was it just a coincidence?
Terry:Â I think even though Europol stated that there was no operational data that was taken, the fact that confidential data was accessed could be a major embarrassment and obviously a security concern. So I think by acting swiftly for this breach, law enforcement agencies were able to send a clear message that the attacks on critical institutions like police and law enforcement will not be tolerated. It shows that they have clear tactics to help take these groups down. If the hackers did have a copy of confidential data, it’ll pose a real serious risk if it’s sold or distributed. So taking down this platform facilitated helped mitigate any dissemination of sensitive information.
Howard: The thing is, there’s big money in cybercrime. There’s great demand for buying and selling stolen data. So how much of a dent will this make in the criminal world? BreachForums itself came after a criminal marketplace called RaidForums was taken down in 2022.
Terry: These takedowns disrupt operations temporarily, but we’ve seen in the past how fast these groups get back online. So they lose their platform for a couple of weeks. History shows that they’re just gonna rebrand, restore from backup and they’re back up online as quickly as possible. The demand [from threat actors] for stolen data remains really high … It’s a multi-trillion dollar industry. So as long as there’s a profit to be made, new marketplaces will come up online …
But I think with each takedown law enforcement is actually enhancing their understanding and capabilities. The intelligence gathering that’s being done from these operations will help tackle and dismantle future platforms, especially with the help of telecom firms, because they can see what’s happening on the entire internet. It’s very important that they play a role in this thing. But in the end, these takedowns are only short term. They’re going to come back online under a different name at some point.
